In a recent blog post, Microsoft revealed that the same Russian hackers who breached SolarWinds also targeted other organizations, including government agencies, think tanks, consultants and non-governmental organizations. The company said the hackers used a variety of techniques to gain access to victims’ networks, including password cracking, brute force and phishing.
Microsoft said it has been tracking the activity of the hackers, whom it calls Nobelium, since December 2020, when it discovered they had compromised SolarWinds, a software vendor that provides network management tools to thousands of customers. The hackers inserted malicious code into SolarWinds software updates, allowing them to eavesdrop on affected organizations’ communications and data.
According to Microsoft, Nobelium has continued to launch attacks against various entities involved in international development, humanitarian and human rights work. The company said it notified all of its customers who were attacked or compromised by the hackers and provided them with guidance and resources to protect their systems.
Microsoft also said it has been working with the U.S. government and other partners to share information and coordinate responses to the threat. The company urged all organizations to take steps to protect themselves from cyber attacks, such as enabling multi-factor authentication, updating software and systems, and educating employees about phishing and social engineering.
In a recent update, Microsoft revealed more details about the sophisticated cyberattack carried out by Midnight Blizzard, a Russian-backed hacking group. The attackers used a technique called password spraying, which involves trying common passwords across multiple accounts, to breach a legacy email system that Microsoft was in the process of decommissioning. The attackers then used the compromised accounts to access a small number of Microsoft corporate email accounts, mostly belonging to senior executives and employees in sensitive departments. The attackers also downloaded some emails and attachments from these accounts.
One of the most interesting aspects of the attack is that the hackers appeared to be seeking information about themselves and their activities, presumably to gauge how much Microsoft knows about them and their methods. Microsoft said it has been working closely with authorities and other partners to investigate and respond to the incident, and has taken steps to improve its security posture and protect its customers.
Another company that was affected by the Midnight Blizzard campaign is Hewlett Packard Enterprise (HPE), which announced Thursday that its Microsoft-hosted email system was breached by the same group. HPE said it was notified of the breach on Dec. 12 and that its own investigation found that attackers accessed and extracted data from a small percentage of HPE’s mailboxes as of May 2023. HPE also said this incident was related to an earlier one. The hackers stole some SharePoint files from its network.
The connection between the two incidents is unclear at this time, but suggests that Midnight Blizzard has been conducting a long-term targeted espionage operation against multiple companies and organizations. The full scope and impact of their activities is still unknown, but they demonstrate the high level of sophistication and persistence of this threat actor.